diff options
Diffstat (limited to 'doc/rfc/rfc5191.txt')
-rw-r--r-- | doc/rfc/rfc5191.txt | 2579 |
1 files changed, 2579 insertions, 0 deletions
diff --git a/doc/rfc/rfc5191.txt b/doc/rfc/rfc5191.txt new file mode 100644 index 0000000..25bd448 --- /dev/null +++ b/doc/rfc/rfc5191.txt @@ -0,0 +1,2579 @@ + + + + + + +Network Working Group D. Forsberg +Request for Comments: 5191 Nokia +Category: Standards Track Y. Ohba, Ed. + Toshiba + B. Patil + H. Tschofenig + Nokia Siemens Networks + A. Yegin + Samsung + May 2008 + + + Protocol for Carrying Authentication for Network Access (PANA) + +Status of This Memo + + This document specifies an Internet standards track protocol for the + Internet community, and requests discussion and suggestions for + improvements. Please refer to the current edition of the "Internet + Official Protocol Standards" (STD 1) for the standardization state + and status of this protocol. Distribution of this memo is unlimited. + +Abstract + + This document defines the Protocol for Carrying Authentication for + Network Access (PANA), a network-layer transport for Extensible + Authentication Protocol (EAP) to enable network access authentication + between clients and access networks. In EAP terms, PANA is a + UDP-based EAP lower layer that runs between the EAP peer and the EAP + authenticator. + + + + + + + + + + + + + + + + + + + + + +Forsberg, et al. Standards Track [Page 1] + +RFC 5191 PANA May 2008 + + +Table of Contents + + 1. Introduction ....................................................3 + 1.1. Specification of Requirements ..............................4 + 2. Terminology .....................................................4 + 3. Protocol Overview ...............................................6 + 4. Protocol Details ................................................7 + 4.1. Authentication and Authorization Phase .....................7 + 4.2. Access Phase ..............................................11 + 4.3. Re-Authentication Phase ...................................11 + 4.4. Termination Phase .........................................13 + 5. Processing Rules ...............................................13 + 5.1. Fragmentation .............................................13 + 5.2. Sequence Number and Retransmission ........................14 + 5.3. PANA Security Association .................................15 + 5.4. Message Authentication ....................................17 + 5.5. Message Validity Check ....................................17 + 5.6. PaC Updating Its IP Address ...............................19 + 5.7. Session Lifetime ..........................................19 + 6. Message Format .................................................20 + 6.1. IP and UDP Headers ........................................20 + 6.2. PANA Message Header .......................................20 + 6.3. AVP Format ................................................22 + 7. PANA Messages ..................................................24 + 7.1. PANA-Client-Initiation (PCI) ..............................27 + 7.2. PANA-Auth-Request (PAR) ...................................28 + 7.3. PANA-Auth-Answer (PAN) ....................................28 + 7.4. PANA-Termination-Request (PTR) ............................28 + 7.5. PANA-Termination-Answer (PTA) .............................29 + 7.6. PANA-Notification-Request (PNR) ...........................29 + 7.7. PANA-Notification-Answer (PNA) ............................29 + 8. AVPs in PANA ...................................................29 + 8.1. AUTH AVP ..................................................30 + 8.2. EAP-Payload AVP ...........................................30 + 8.3. Integrity-Algorithm AVP ...................................31 + 8.4. Key-Id AVP ................................................31 + 8.5. Nonce AVP .................................................31 + 8.6. PRF-Algorithm AVP .........................................32 + 8.7. Result-Code AVP ...........................................32 + 8.8. Session-Lifetime AVP ......................................32 + 8.9. Termination-Cause AVP .....................................33 + 9. Retransmission Timers ..........................................33 + 9.1. Transmission and Retransmission Parameters ................35 + 10. IANA Considerations ...........................................35 + 10.1. PANA UDP Port Number .....................................36 + 10.2. PANA Message Header ......................................36 + 10.2.1. Message Type ......................................36 + 10.2.2. Flags .............................................36 + + + +Forsberg, et al. Standards Track [Page 2] + +RFC 5191 PANA May 2008 + + + 10.3. AVP Header ...............................................36 + 10.3.1. AVP Code ..........................................37 + 10.3.2. Flags .............................................37 + 10.4. AVP Values ...............................................37 + 10.4.1. Result-Code AVP Values ............................37 + 10.4.2. Termination-Cause AVP Values ......................38 + 11. Security Considerations .......................................38 + 11.1. General Security Measures ................................38 + 11.2. Initial Exchange .........................................40 + 11.3. EAP Methods ..............................................40 + 11.4. Cryptographic Keys .......................................40 + 11.5. Per-Packet Ciphering .....................................41 + 11.6. PAA-to-EP Communication ..................................41 + 11.7. Liveness Test ............................................41 + 11.8. Early Termination of a Session ...........................42 + 12. Acknowledgments ...............................................42 + 13. References ....................................................42 + 13.1. Normative References .....................................42 + 13.2. Informative References ...................................43 + +1. Introduction + + Providing secure network access service requires access control based + on the authentication and authorization of the clients and the access + networks. Client-to-network authentication provides parameters that + are needed to police the traffic flow through the enforcement points. + A protocol is needed to carry authentication methods between the + client and the access network. + + The scope of this work is identified as designing a network-layer + transport for network access authentication methods. The Extensible + Authentication Protocol (EAP) [RFC3748] provides such authentication + methods. In other words, PANA carries EAP, which can carry various + authentication methods. By the virtue of enabling the transport of + EAP above IP, any authentication method that can be carried as an EAP + method is made available to PANA and hence to any link-layer + technology. There is a clear division of labor between PANA (an EAP + lower layer), EAP, and EAP methods as described in [RFC3748]. + + Various environments and usage models for PANA are identified in + Appendix A of [RFC4058]. Potential security threats for + network-layer access authentication protocol are discussed in + [RFC4016]. These have been essential in defining the requirements + [RFC4058] of the PANA protocol. Note that some of these requirements + are imposed by the chosen payload, EAP [RFC3748]. + + + + + + +Forsberg, et al. Standards Track [Page 3] + +RFC 5191 PANA May 2008 + + + There are components that are part of a complete secure network + access solution but are outside of the PANA protocol specification, + including PANA Authentication Agent (PAA) discovery, authentication + method choice, PANA Authentication Agent-Enforcement Point (PAA-EP) + protocol, access control filter creation, and data traffic + protection. These components are described in separate documents + (see [RFC5193] and [RFC5192]). + +1.1. Specification of Requirements + + In this document, several words are used to signify the requirements + of the specification. These words are often capitalized. The key + words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", + "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document + are to be interpreted as described in [RFC2119]. + +2. Terminology + + PANA Client (PaC): + + The client side of the protocol that resides in the access device + (e.g., laptop, PDA, etc.). It is responsible for providing the + credentials in order to prove its identity (authentication) for + network access authorization. The PaC and the EAP peer are + colocated in the same access device. + + PANA Authentication Agent (PAA): + + The protocol entity in the access network whose responsibility it + is to verify the credentials provided by a PANA client (PaC) and + authorize network access to the access device. The PAA and the + EAP authenticator (and optionally the EAP server) are colocated in + the same node. Note the authentication and authorization + procedure can, according to the EAP model, also be offloaded to + the back end Authentication, Authorization, and Accounting (AAA) + infrastructure. + + + + + + + + + + + + + + + +Forsberg, et al. Standards Track [Page 4] + +RFC 5191 PANA May 2008 + + + PANA Session: + + A PANA session is established between the PANA Client (PaC) and + the PANA Authentication Agent (PAA), and it terminates as a result + of an authentication and authorization or liveness test failure, a + message delivery failure after retransmissions reach maximum + values, session lifetime expiration, an explicit termination + message or any event that causes discontinuation of the access + service. A fixed session identifier is maintained throughout a + session. A session cannot be shared across multiple network + interfaces. + + Session Lifetime: + + A duration that is associated with a PANA session. For an + established PANA session, the session lifetime is bound to the + lifetime of the current authorization given to the PaC. The + session lifetime can be extended by a new round of EAP + authentication before it expires. Until a PANA session is + established, the lifetime SHOULD be set to a value that allows the + PaC to detect a failed session in a reasonable amount of time. + + Session Identifier: + + This identifier is used to uniquely identify a PANA session on the + PaC and the PAA. It is included in PANA messages to bind the + message to a specific PANA session. This bidirectional identifier + is allocated by the PAA in the initial request message and freed + when the session terminates. The session identifier is assigned + by the PAA and is unique within the PAA. + + PANA Security Association (PANA SA): + + A PANA security association is formed between the PaC and the PAA + by sharing cryptographic keying material and associated context. + The formed duplex security association is used to protect the + bidirectional PANA signaling traffic between the PaC and PAA. + + Enforcement Point (EP): + + A node on the access network where per-packet enforcement policies + (i.e., filters) are applied on the inbound and outbound traffic of + access devices. The EP and the PAA may be colocated. EPs should + prevent data traffic from and to any unauthorized client, unless + that data traffic is either PANA or one of the other allowed + traffic types (e.g., Address Resolution Protocol (ARP), IPv6 + neighbor discovery, DHCP, etc.). + + + + +Forsberg, et al. Standards Track [Page 5] + +RFC 5191 PANA May 2008 + + + Master Session Key (MSK): + + A key derived by the EAP peer and the EAP server and transported + to the EAP authenticator [RFC3748]. + + For additional terminology definitions, see the PANA framework + document [RFC5193]. + +3. Protocol Overview + + The PANA protocol is run between a client (PaC) and a server (PAA) in + order to perform authentication and authorization for the network + access service. + + The protocol messaging consists of a series of requests and answers, + some of which may be initiated by either end. Each message can carry + zero or more AVPs (Attribute-Value Pairs) within the payload. The + main payload of PANA is EAP, which performs authentication. PANA + helps the PaC and PAA establish an EAP session. + + PANA is a UDP-based protocol. It has its own retransmission + mechanism to reliably deliver messages. + + PANA messages are sent between the PaC and PAA as part of a PANA + session. A PANA session consists of distinct phases: + + o Authentication and authorization phase: This is the phase that + initiates a new PANA session and executes EAP between the PAA and + PaC. The PANA session can be initiated by both the PaC and the + PAA. The EAP payload (which carries an EAP method inside) is what + is used for authentication. The PAA conveys the result of + authentication and authorization to the PaC at the end of this + phase. + + o Access phase: After successful authentication and authorization, + the access device gains access to the network and can send and + receive IP traffic through the EP(s). At any time during this + phase, the PaC and PAA may optionally send PANA notification + messages to test liveness of the PANA session on the peer. + + + + + + + + + + + + +Forsberg, et al. Standards Track [Page 6] + +RFC 5191 PANA May 2008 + + + o Re-authentication phase: During the access phase, the PAA may, and + the PaC should, initiate re-authentication if they want to update + the PANA session lifetime before the PANA session lifetime + expires. EAP is carried by PANA to perform re-authentication. + This phase may be optionally triggered by both the PaC and the PAA + without any respect to the session lifetime. The + re-authentication phase is a sub-phase of the access phase. The + session moves to this sub-phase from the access phase when + re-authentication starts, and returns back there upon successful + re-authentication. + + o Termination phase: The PaC or PAA may choose to discontinue the + access service at any time. An explicit disconnect message can be + sent by either end. If either the PaC or the PAA disconnects + without engaging in termination messaging, it is expected that + either the expiration of a finite session lifetime or failed + liveness tests would clean up the session at the other end. + + Cryptographic protection of messages between the PaC and PAA is + possible as soon as EAP in conjunction with the EAP method exports a + shared key. That shared key is used to create a PANA SA. The PANA + SA helps generate per-message authentication codes that provide + integrity protection and authentication. + +4. Protocol Details + + The following sections explain in detail the various phases of a PANA + session. + +4.1. Authentication and Authorization Phase + + The main task of the authentication and authorization phase is to + establish a PANA session and carry EAP messages between the PaC and + the PAA. The PANA session can be initiated by either the PaC or the + PAA. + + PaC-initiated Session: + + When the PaC initiates a PANA session, it sends a + PANA-Client-Initiation message to the PAA. When the PaC is not + configured with an IP address of the PAA before initiating the + PANA session, DHCP [RFC5192] is used as the default method for + dynamically configuring the IP address of the PAA. Alternative + methods for dynamically discovering the IP address of the PAA may + be used for PaC-initiated sessions, but they are outside the scope + of this specification. The PAA that receives the + PANA-Client-Initiation message MUST respond to the PaC with a + PANA-Auth-Request message. + + + +Forsberg, et al. Standards Track [Page 7] + +RFC 5191 PANA May 2008 + + + PAA-initiated Session: + + When the PAA knows the IP address of the PaC, it MAY send an + unsolicited PANA-Auth-Request to the PaC. The details of how PAA + can learn the IP address of the PaC are outside the scope of this + specification. + + A session identifier for the session is assigned by the PAA and + carried in the initial PANA-Auth-Request message. The same session + identifier MUST be carried in the subsequent messages exchanged + between the PAA and PaC throughout the session. + + When the PaC receives the initial PANA-Auth-Request message from a + PAA, it responds with a PANA-Auth-Answer message, if it wishes to + continue the PANA session. Otherwise, it silently discards the + PANA-Auth-Request message. + + The initial PANA-Auth-Request and PANA-Auth-Answer messages MUST have + the 'S' (Start) bit set, regardless of whether the session is + initiated by the PaC or the PAA. Non-initial PANA-Auth-Request and + PANA-Auth-Answer messages as well as any other messages MUST NOT have + the 'S' (Start) bit set. + + It is recommended that the PAA limit the rate at which it processes + incoming PANA-Client-Initiation messages to provide robustness + against denial of service (DoS) attacks. The details of rate + limiting are outside the scope of this specification. + + If a PANA SA needs to be established with use of a key-generating EAP + method, the Pseudo-Random Function (PRF) and integrity algorithms to + be used for PANA_AUTH_KEY derivation (see Section 5.3) and AUTH AVP + calculation (see Section 5.4) are negotiated as follows: the PAA + sends the initial PANA-Auth-Request carrying one or more + PRF-Algorithm AVPs and one or more Integrity-Algorithm AVPs for the + PRF and integrity algorithms supported by it, respectively. The PaC + then selects one PRF algorithm and one integrity algorithm from these + AVPs carried in the initial PANA-Auth-Request, and it responds with + the initial PANA-Auth-Answer carrying one PRF-Algorithm AVP and one + Integrity-Algorithm AVP for the selected algorithms. The negotiation + is protected after the MSK is available, as described in Section 5.3. + + If the PAA wants to stay stateless in response to a + PANA-Client-Initiation message, it doesn't include an EAP-Payload AVP + in the initial PANA-Auth-Request message, and it should not + retransmit the message on a timer. For this reason, the PaC MUST + retransmit the PANA-Client-Initiation message until it receives the + second PANA-Auth-Request message (not a retransmission of the initial + one) from the PAA. + + + +Forsberg, et al. Standards Track [Page 8] + +RFC 5191 PANA May 2008 + + + It is possible that both the PAA and the PaC initiate the PANA + session at the same time, i.e., the PAA sends the initial PANA-Auth- + Request message without solicitation while the PaC sends a + PANA-Client-Initiation message. To resolve the race condition, the + PAA MUST silently discard the PANA-Client-Initiation message received + from the PaC after it has sent the initial PANA-Auth-Request message. + The PAA uses the source IP address and the source port number of the + PANA-Client-Initiation message to identify the PaC among multiple + PANA-Client-Initiation messages sent from different PaCs. + + EAP messages are carried in PANA-Auth-Request messages. + PANA-Auth-Answer messages are simply used to acknowledge receipt of + the requests. As an optimization, a PANA-Auth-Answer message sent + from the PaC MAY include the EAP message. This optimization SHOULD + NOT be used when it takes time to generate the EAP message (due to, + e.g., intervention of human input), in which case returning an + PANA-Auth-Answer message without piggybacking an EAP message can + avoid unnecessary retransmission of the PANA-Auth-Request message. + + A Nonce AVP MUST be included in the first PANA-Auth-Request and + PANA-Auth-Answer messages following the initial PANA-Auth-Request and + PANA-Auth-Answer messages (i.e., with the 'S' (Start) bit set), and + MUST NOT be included in any other message, except during + re-authentication procedures (see Section 4.3). + + The result of PANA authentication is carried in the last + PANA-Auth-Request message sent from the PAA to the PaC. This message + carries the EAP authentication result and the result of PANA + authentication. The last PANA-Auth-Request message MUST be + acknowledged with a PANA-Auth-Answer message. The last + PANA-Auth-Request and PANA-Auth-Answer messages MUST have the 'C' + (Complete) bit set, and any other message MUST NOT have the 'C' + (Complete) bit set. Figure 1 shows an example sequence in the + authentication and authorization phase for a PaC-initiated session. + + + + + + + + + + + + + + + + + +Forsberg, et al. Standards Track [Page 9] + +RFC 5191 PANA May 2008 + + + PaC PAA Message(sequence number)[AVPs] + --------------------------------------------------------------------- + -----> PANA-Client-Initiation(0) + <----- PANA-Auth-Request(x)[PRF-Algorithm,Integrity-Algorithm] + // The 'S' (Start) bit set + -----> PANA-Auth-Answer(x)[PRF-Algorithm, Integrity-Algorithm] + // The 'S' (Start) bit set + <----- PANA-Auth-Request(x+1)[Nonce, EAP-Payload] + -----> PANA-Auth-Answer(x+1)[Nonce] // No piggybacking EAP + -----> PANA-Auth-Request(y)[EAP-Payload] + <----- PANA-Auth-Answer(y) + <----- PANA-Auth-Request(x+2)[EAP-Payload] + -----> PANA-Auth-Answer(x+2)[EAP-Payload] + // Piggybacking EAP + <----- PANA-Auth-Request(x+3)[Result-Code, EAP-Payload, + Key-Id, Session-Lifetime, AUTH] + // The 'C' (Complete) bit set + -----> PANA-Auth-Answer(x+3)[Key-Id, AUTH] + // The 'C' (Complete) bit set + + Figure 1: Example sequence for the authentication and authorization + phase for a PaC-initiated session ("Piggybacking EAP" is + the case in which an EAP-Payload AVP is carried in PAN) + + If a PANA SA needs to be established with use of a key-generating EAP + method and an MSK is successfully generated, the last + PANA-Auth-Request message with the 'C' (Complete) bit set MUST + contain a Key-Id AVP and an AUTH AVP for the first derivation of keys + in the session, and any subsequent message MUST contain an AUTH AVP. + + EAP authentication can fail at a pass-through authenticator without + sending an EAP Failure message [RFC4137]. When this occurs, the PAA + SHOULD silently terminate the session, expecting that a session + timeout on the PaC will clean up the state on the PaC. + + There is a case where EAP authentication succeeds with producing an + EAP Success message, but network access authorization fails due to, + e.g., authorization rejected by a AAA server or authorization locally + rejected by the PAA. When this occurs, the PAA MUST send the last + PANA-Auth-Request with a result code PANA_AUTHORIZATION_REJECTED. If + an MSK is available, the last PANA-Auth-Request and PANA-Auth-Answer + messages with the 'C' (Complete) bit set MUST be protected with an + AUTH AVP and carry a Key-Id AVP. The PANA session MUST be terminated + immediately after the last PANA-Auth message exchange. + + For reasons described in Section 3 of [RFC5193], the PaC may need to + reconfigure the IP address after a successful authentication and + authorization phase to obtain an IP address that is usable for + + + +Forsberg, et al. Standards Track [Page 10] + +RFC 5191 PANA May 2008 + + + exchanging data traffic through EP. In this case, the PAA sets the + 'I' (IP Reconfiguration) bit of PANA-Auth-Request messages in the + authentication and authorization phase to indicate to the PaC the + need for IP address reconfiguration. How IP address reconfiguration + is performed is outside the scope of this document. + +4.2. Access Phase + + Once the authentication and authorization phase successfully + completes, the PaC gains access to the network and can send and + receive IP data traffic through the EP(s), and the PANA session + enters the access phase. In this phase, PANA-Notification-Request + and PANA-Notification-Answer messages with the 'P' (Ping) bit set + (ping request and ping answer messages, respectively) can be used for + testing the liveness of the PANA session on the PANA peer. Both the + PaC and the PAA are allowed to send a ping request to the + communicating peer whenever they need to ensure the availability of + the session on the peer, and they expect the peer to return a ping + answer message. The ping request and answer messages MUST be + protected with an AUTH AVP when a PANA SA is available. A ping + request MUST NOT be sent in the authentication and authorization + phase, re-authentication phase, and termination phase. + + Implementations MUST limit the rate of performing this test. The PaC + and the PAA can handle rate limitation on their own, they do not have + to perform any coordination with each other. There is no negotiation + of timers for this purpose. Additionally, an implementation MAY rate + limit processing the incoming ping requests. It should be noted that + if a PAA or PaC that considers its connectivity lost after a + relatively small number of unresponsive pings is coupled with a peer + that is aggressively rate limiting the ping request and answer + messages, then false-positives could result. Therefore, a PAA or PaC + should not rely on frequent ping operation to quickly determine loss + of connectivity. + +4.3. Re-Authentication Phase + + The PANA session in the access phase can enter the re-authentication + phase to extend the current session lifetime by re-executing EAP. + Once the re-authentication phase successfully completes, the session + re-enters the access phase. Otherwise, the session is terminated. + + When the PaC initiates re-authentication, it sends a + PANA-Notification-Request message with the 'A' (re-Authentication) + bit set (a re-authentication request message) to the PAA. This + message MUST contain the session identifier assigned to the session + being re-authenticated. If the PAA already has an established PANA + session for the PaC with the matching session identifier, it MUST + + + +Forsberg, et al. Standards Track [Page 11] + +RFC 5191 PANA May 2008 + + + first respond with a PANA-Notification-Answer message with the 'A' + (re-Authentication) bit set (a re-authentication answer message), + followed by a PANA-Auth-Request message that starts a new EAP + authentication. If the PAA cannot identify the session, it MUST + silently discard the message. The first PANA-Auth-Request and + PANA-Auth-Answer messages in the re-authentication phase MUST have + the 'S' (Start) bit cleared and carry a Nonce AVP. + + The PaC may receive a PANA-Auth-Request before receiving the answer + to its outstanding re-authentication request message. This condition + can arise due to packet re-ordering or a race condition between the + PaC and PAA when they both attempt to engage in re-authentication. + The PaC MUST keep discarding the received PANA-Auth-Requests until it + receives the answer to its request. + + When the PAA initiates re-authentication, it sends a + PANA-Auth-Request message containing the session identifier for the + PaC. The PAA MUST initiate EAP re-authentication before the current + session lifetime expires. + + Re-authentication of an ongoing PANA session MUST NOT reset the + sequence numbers. + + For any re-authentication, if there is an established PANA SA, + re-authentication request and answer messages and subsequent + PANA-Auth-Request and PANA-Auth-Answer messages MUST be protected + with an AUTH AVP. The final PANA-Auth-Request and PANA-Auth-Answer + messages and any subsequent PANA message MUST be protected by using + the key generated from the latest EAP authentication. + + + + + + + + + + + + + + + + + + + + + + +Forsberg, et al. Standards Track [Page 12] + +RFC 5191 PANA May 2008 + + + PaC PAA Message(sequence number)[AVPs] + --------------------------------------------------------------------- + -----> PANA-Notification-Request(q)[AUTH] + // The 'A' (re-Authentication) bit set + <----- PANA-Notification-Answer(q)[AUTH] + // The 'A' (re-Authentication) bit set + <----- PANA-Auth-Request(p)[EAP-Payload, Nonce, AUTH] + -----> PANA-Auth-Answer(p)[AUTH, Nonce] + -----> PANA-Auth-Request(q+1)[EAP-Payload, AUTH] + <----- PANA-Auth-Answer(q+1)[AUTH] + <----- PANA-Auth-Request(p+1)[EAP-Payload, AUTH] + -----> PANA-Auth-Answer(p+1)[EAP-Payload, AUTH] + <----- PANA-Auth-Request(p+2)[Result-Code, EAP-Payload, + Key-Id, Session-Lifetime, AUTH] + // The 'C' (Complete) bit set + -----> PANA-Auth-Answer(p+2)[Key-Id, AUTH] + // The 'C' (Complete) bit set + + Figure 2: Example sequence for the re-authentication phase initiated + by PaC + +4.4. Termination Phase + + A procedure for explicitly terminating a PANA session can be + initiated either from the PaC (i.e., disconnect indication) or from + the PAA (i.e., session revocation). The PANA-Termination-Request and + PANA-Termination-Answer message exchanges are used for + disconnect-indication and session-revocation procedures. + + The reason for termination is indicated in the Termination-Cause AVP. + When there is an established PANA SA between the PaC and the PAA, all + messages exchanged during the termination phase MUST be protected + with an AUTH AVP. When the sender of the PANA-Termination-Request + message receives a valid acknowledgment, all states maintained for + the PANA session MUST be terminated immediately. + +5. Processing Rules + +5.1. Fragmentation + + PANA does not provide fragmentation of PANA messages. Instead, it + relies on fragmentation provided by EAP methods and IP layer when + needed. + + + + + + + + +Forsberg, et al. Standards Track [Page 13] + +RFC 5191 PANA May 2008 + + +5.2. Sequence Number and Retransmission + + PANA uses sequence numbers to provide ordered and reliable delivery + of messages. + + The PaC and PAA maintain two sequence numbers: one is for setting the + sequence number of the next outgoing request; the other is for + matching the sequence number of the next incoming request. These + sequence numbers are 32-bit unsigned numbers. They are monotonically + incremented by 1 as new requests are generated and received, and + wrapped to zero on the next message after 2^32-1. Answers always + contain the same sequence number as the corresponding request. + Retransmissions reuse the sequence number contained in the original + packet. + + The initial sequence numbers (ISN) are randomly picked by the PaC and + PAA as they send their very first request messages. + PANA-Client-Initiation message carries sequence number 0. + + When a request message is received, it is considered valid in terms + of sequence numbers if and only if its sequence number matches the + expected value. This check does not apply to the + PANA-Client-Initiation message and the initial PANA-Auth-Request + message. + + When an answer message is received, it is considered valid in terms + of sequence numbers if and only if its sequence number matches that + of the currently outstanding request. A peer can only have one + outstanding request at a time. + + PANA request messages are retransmitted based on a timer until an + answer is received (in which case the retransmission timer is + stopped) or the number of retransmission reaches the maximum value + (in which case the PANA session MUST be terminated immediately). + + The retransmission timers SHOULD be calculated as described in + Section 9, unless a given deployment chooses to use its own + retransmission timers optimized for the underlying link-layer + characteristics. + + Unless dropped due to rate limiting, the PaC and PAA MUST respond to + all duplicate request messages received. The last transmitted answer + MAY be cached in case it is not received by the peer, which generates + a retransmission of the last request. When available, the cached + answer can be used instead of fully processing the retransmitted + request and forming a new answer from scratch. + + + + + +Forsberg, et al. Standards Track [Page 14] + +RFC 5191 PANA May 2008 + + +5.3. PANA Security Association + + A PANA SA is created as an attribute of a PANA session when EAP + authentication succeeds with a creation of an MSK. A PANA SA is not + created when the PANA authentication fails or no MSK is produced by + the EAP authentication method. When a new MSK is derived in the PANA + re-authentication phase, any key derived from the old MSK MUST be + updated to a new one that is derived from the new MSK. In order to + distinguish the new MSK from old ones, one Key-Id AVP MUST be carried + in the last PANA-Auth-Request and PANA-Auth-Answer messages with the + 'C' (Complete) bit set at the end of the EAP authentication, which + resulted in deriving a new MSK. The Key-Id AVP is of type Unsigned32 + and MUST contain a value that uniquely identifies the MSK within the + PANA session. The last PANA-Auth-Answer message with the 'C' + (Complete) bit set in response to the last PANA-Auth-Request message + with the 'C' (Complete) bit set MUST contain a Key-Id AVP with the + same MSK identifier carried in the request. The last + PANA-Auth-Request and PANA-Auth-Answer messages with a Key-Id AVP + MUST also carry an AUTH AVP whose value is computed by using the new + PANA_AUTH_KEY derived from the new MSK. Although the specification + does not mandate a particular method for calculation of the Key-Id + AVP value, a simple method is to use monotonically increasing + numbers. + + The PANA session lifetime is bounded by the authorization lifetime + granted by the authentication server (same as the MSK lifetime). The + lifetime of the PANA SA (hence the PANA_AUTH_KEY) is the same as the + lifetime of the PANA session. The created PANA SA is deleted when + the corresponding PANA session is terminated. + + PANA SA attributes as well as PANA session attributes are listed + below: + + PANA Session attributes: + + * Session Identifier + + * IP address and UDP port number of the PaC + + * IP address and UDP port number of the PAA + + * Sequence number for the next outgoing request + + * Sequence number for the next incoming request + + * Last transmitted message payload + + * Retransmission interval + + + +Forsberg, et al. Standards Track [Page 15] + +RFC 5191 PANA May 2008 + + + * Session lifetime + + * PANA SA attributes + + PANA SA attributes: + + * Nonce generated by PaC (PaC_nonce) + + * Nonce generated by PAA (PAA_nonce) + + * MSK + + * MSK Identifier + + * PANA_AUTH_KEY + + * Pseudo-random function + + * Integrity algorithm + + The PANA_AUTH_KEY is derived from the available MSK, and it is used + to integrity protect PANA messages. The PANA_AUTH_KEY is computed in + the following way: + + PANA_AUTH_KEY = prf+(MSK, "IETF PANA"|I_PAR|I_PAN| + PaC_nonce|PAA_nonce|Key_ID) + + where: + + - The prf+ function is defined in IKEv2 [RFC4306]. The pseudo-random + function to be used for the prf+ function is negotiated using + PRF-Algorithm AVP in the initial PANA-Auth-Request and + PANA-Auth-Answer exchange with 'S' (Start) bit set. + + - MSK is the master session key generated by the EAP method. + + - "IETF PANA" is the ASCII code representation of the non-NULL + terminated string (excluding the double quotes around it). + + - I_PAR and I_PAN are the initial PANA-Auth-Request and + PANA-Auth-Answer messages (the PANA header and the following PANA + AVPs) with 'S' (Start) bit set, respectively. + + - PaC_nonce and PAA_nonce are values of the Nonce AVP carried in the + first non-initial PANA-Auth-Answer and PANA-Auth-Request messages + in the authentication and authorization phase or the first + PANA-Auth-Answer and PANA-Auth-Request messages in the + re-authentication phase, respectively. + + + +Forsberg, et al. Standards Track [Page 16] + +RFC 5191 PANA May 2008 + + + - Key_ID is the value of the Key-Id AVP. + + The length of PANA_AUTH_KEY depends on the integrity algorithm in + use. See Section 5.4 for the detailed usage of the PANA_AUTH_KEY. + +5.4. Message Authentication + + A PANA message can contain an AUTH AVP for cryptographically + protecting the message. + + When an AUTH AVP is included in a PANA message, the Value field of + the AUTH AVP is calculated by using the PANA_AUTH_KEY in the + following way: + + AUTH AVP value = PANA_AUTH_HASH(PANA_AUTH_KEY, PANA_PDU) + + where PANA_PDU is the PANA message including the PANA header, with + the AUTH AVP Value field first initialized to 0. PANA_AUTH_HASH + represents the integrity algorithm negotiated using + Integrity-Algorithm AVP in the initial PANA-Auth-Request and + PANA-Auth-Answer exchange with 'S' (Start) bit set. The PaC and PAA + MUST use the same integrity algorithm to calculate an AUTH AVP they + originate and receive. + +5.5. Message Validity Check + + When a PANA message is received, the message is considered to be + invalid, at least when one of the following conditions are not met: + + o Each field in the message header contains a valid value including + sequence number, message length, message type, flags, session + identifier, etc. + + o The message type is one of the expected types in the current + state. Specifically, the following messages are unexpected and + invalid: + + * In the authentication and authorization phase: + + + PANA-Client-Initiation after completion of the initial + PANA-Auth-Request and PANA-Auth-Answer exchange with 'S' + (Start) bit set. + + + Re-authentication request. + + + Ping request. + + + + + +Forsberg, et al. Standards Track [Page 17] + +RFC 5191 PANA May 2008 + + + + The last PANA-Auth-Request with 'C' (Complete) bit set + before completion of the initial PANA-Auth-Request and + PANA-Auth-Answer exchange with 'S' (Start) bit set. + + + The initial PANA-Auth-Request with 'S' (Start) bit set after + a PaC receives a valid non-initial PANA-Auth-Request with + 'S' (Start) bit cleared. + + + PANA-Termination-Request. + + * In the re-authentication phase: + + + PANA-Client-Initiation. + + + The initial PANA-Auth-Request. + + * In the access phase: + + + PANA-Auth-Request. + + + PANA-Client-Initiation. + + * In the termination phase: + + + PANA-Client-Initiation. + + + All requests but PANA-Termination-Request and ping request. + + o The message payload contains a valid set of AVPs allowed for the + message type. There is no missing AVP that needs to be included + in the payload, and no AVP, which needs to be at a fixed position, + is included in a position different from this fixed position. + + o Each AVP is recognized and decoded correctly. + + o Once the PANA authentication succeeds in using a key-generating + EAP method, the PANA-Auth-Request message that carries the EAP + Success and any subsequent message in that session contains an + AUTH AVP. The AVP value matches the hash value computed against + the received message. + + Invalid messages MUST be discarded in order to provide robustness + against DoS attacks. + + + + + + + + +Forsberg, et al. Standards Track [Page 18] + +RFC 5191 PANA May 2008 + + +5.6. PaC Updating Its IP Address + + A PaC's IP address used for PANA can change in certain situations, + e.g., when IP address reconfiguration is needed for the PaC to obtain + an IP address after successful PANA authentication (see Section 3 of + [RFC5193]) or when the PaC moves from one IP link to another within + the same PAA's realm. In order to maintain the PANA session, the PAA + needs to be notified about the change of PaC address. + + After the PaC has changed its IP address used for PANA, it MUST send + any valid PANA message. If the message that carries the new PaC IP + address in the Source Address field of the IP header is valid, the + PAA MUST update the PANA session with the new PaC address. If there + is an established PANA SA, the message MUST be protected with an AUTH + AVP. + +5.7. Session Lifetime + + The authentication and authorization phase determines the PANA + session lifetime, and the lifetime is indicated to the PaC when the + network access authorization succeeds. For this purpose, when the + last PANA-Auth-Request message (i.e., with the 'C' (Complete) bit + set) in authentication and authorization phase or re-authentication + phase carries a Result-Code AVP with a value of PANA_SUCCESS, a + Session-Lifetime AVP MUST also be carried in the message. A + Session-Lifetime AVP MUST be ignored when included in other PANA + messages. + + The lifetime is a non-negotiable parameter that can be used by the + PaC to manage PANA-related state. The PaC MUST initiate the + re-authentication phase before the current session lifetime expires, + if it wants to extend the session. + + The PaC and the PAA MAY use information obtained outside PANA (e.g., + lower-layer indications) to expedite the detection of a disconnected + peer. Availability and reliability of such indications MAY depend on + a specific link-layer or network topology and are therefore only + hints. A PANA peer SHOULD use the ping request and answer exchange + to verify that a peer is, in fact, no longer alive, unless + information obtained outside PANA is being used to expedite the + detection of a disconnected peer. + + The session lifetime parameter is not related to the transmission of + ping request messages. These messages can be used for asynchronously + verifying the liveness of the peer. The decision to send a ping + request message is made locally and does not require coordination + between the peers. + + + + +Forsberg, et al. Standards Track [Page 19] + +RFC 5191 PANA May 2008 + + +6. Message Format + + This section defines message formats for PANA protocol. + +6.1. IP and UDP Headers + + Any PANA message is unicast between the PaC and the PAA. + + For any PANA message sent from the peer that has initiated the PANA + session, the UDP source port is set to any number on which the peer + can receive incoming PANA messages, and the destination port is set + to the assigned PANA port number (716). For any PANA message sent + from the other peer, the source port is set to the assigned PANA port + number (716), and the destination port is copied from the source port + of the last received message. In case both the PaC and PAA initiate + the session (i.e., PANA-Client-Initiation and unsolicited PANA-Auth- + Request messages cross each other), then the PaC is identified as the + initiator. All PANA peers MUST listen on the assigned PANA port + number (716). + +6.2. PANA Message Header + + A summary of the PANA message header format is shown below. The + fields are transmitted in network byte order. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Reserved | Message Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Flags | Message Type | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Session Identifier | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Sequence Number | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | AVPs ... + +-+-+-+-+-+-+-+-+-+-+-+-+- + + Reserved + + This 16-bit field is reserved for future use. It MUST be set to + zero and ignored by the receiver. + + + + + + + + +Forsberg, et al. Standards Track [Page 20] + +RFC 5191 PANA May 2008 + + + Message Length + + The Message Length field is two octets and indicates the length of + the PANA message including the header fields. + + Flags + + The Flags field is two octets. The following bits are assigned: + + 0 1 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |R S C A P I r r r r r r r r r r| + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + R (Request) + + If set, the message is a request. If cleared, the message is an + answer. + + S (Start) + + If set, the message is the first PANA-Auth-Request or + PANA-Auth-Answer in authentication and authorization phase. For + other messages, this bit MUST be cleared. + + C (Complete) + + If set, the message is the last PANA-Auth-Request or + PANA-Auth-Answer in authentication and authorization phase. For + other messages, this bit MUST be cleared. + + A (re-Authentication) + + If set, the message is a PANA-Notification-Request or + PANA-Notification-Answer to initiate re-authentication. For other + messages, this bit MUST be cleared. + + P (Ping) + + If set, the message is a PANA-Notification-Request or + PANA-Notification-Answer for liveness test. For other messages, + this bit MUST be cleared. + + + + + + + + +Forsberg, et al. Standards Track [Page 21] + +RFC 5191 PANA May 2008 + + + I (IP Reconfiguration) + + If set, it indicates that the PaC is required to perform IP + address reconfiguration after successful authentication and + authorization phase to configure an IP address that is usable for + exchanging data traffic across EP. This bit is set by the PAA + only for PANA-Auth-Request messages in the authentication and + authorization phase. For other messages, this bit MUST be + cleared. + + r (reserved) + + These flag bits are reserved for future use. They MUST be set to + zero and ignored by the receiver. + + Message Type + + The Message Type field is two octets, and it is used in order to + communicate the message type with the message. Message Type + allocation is managed by IANA [IANAWEB]. + + Session Identifier + + This field contains a 32-bit session identifier. + + Sequence Number + + This field contains a 32-bit sequence number. + + AVPs + + AVPs are a method of encapsulating information relevant to the + PANA message. See Section 6.3 for more information on AVPs. + +6.3. AVP Format + + Each AVP of type OctetString MUST be padded to align on a 32-bit + boundary, while other AVP types align naturally. A number of + zero-valued bytes are added to the end of the AVP Value field until a + word boundary is reached. The length of the padding is not reflected + in the AVP Length field [RFC3588]. + + + + + + + + + + +Forsberg, et al. Standards Track [Page 22] + +RFC 5191 PANA May 2008 + + + The fields in the AVP are sent in network byte order. The AVP format + is: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | AVP Code | AVP Flags | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | AVP Length | Reserved | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Vendor-Id (opt) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Value ... + +-+-+-+-+-+-+-+-+ + + AVP Code + + The AVP Code, together with the optional Vendor-Id field, + identifies an attribute that follows. If the V-bit is not set, + then the Vendor-Id is not present and the AVP Code refers to an + IETF attribute. + + AVP Flags + + The AVP Flags field is two octets. The following bits are + assigned: + + 0 1 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |V r r r r r r r r r r r r r r r| + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + V (Vendor) + + The 'V' (Vendor) bit indicates whether the optional Vendor-Id + field is present in the AVP header. When set, the AVP Code + belongs to the specific vendor code address space. All AVPs + defined in this document MUST have the 'V' (Vendor) bit cleared. + + r (reserved) + + These flag bits are reserved for future use. They MUST be set to + zero and ignored by the receiver. + + + + + + + +Forsberg, et al. Standards Track [Page 23] + +RFC 5191 PANA May 2008 + + + AVP Length + + The AVP Length field is two octets, and indicates the number of + octets in the Value field. The length of the AVP Code, AVP + Length, AVP Flags, Reserved and Vendor-Id fields are not counted + in the AVP Length value. + + Reserved + + This two-octet field is reserved for future use. It MUST be set + to zero and ignored by the receiver. + + Vendor-Id + + The Vendor-Id field is present if the 'V' (Vendor) bit is set in + the AVP Flags field. The optional four-octet Vendor-Id field + contains the IANA assigned "SMI Network Management Private + Enterprise Codes" [IANAWEB] value, encoded in network byte order. + Any vendor wishing to implement a vendor-specific PANA AVP MUST + use their own Vendor-Id along with their privately managed AVP + address space, guaranteeing that they will not collide with any + other vendor's vendor-specific AVP(s) nor with future IETF + applications. + + Value + + The Value field is zero or more octets and contains information + specific to the Attribute. The format of the Value field is + determined by the AVP Code and Vendor-Id fields. The length of + the Value field is determined by the AVP Length field. + +7. PANA Messages + + Each Request/Answer message pair is assigned a sequence number, and + the sub-type (i.e., request or answer) is identified via the 'R' + (Request) bit in the Message Flags field of the PANA message header. + + + + + + + + + + + + + + + +Forsberg, et al. Standards Track [Page 24] + +RFC 5191 PANA May 2008 + + + Every PANA message MUST contain a message type in its header's + Message Type field, which is used to determine the action that is to + be taken for a particular message. Figure 3 lists all PANA messages + defined in this document: + + Message Name Abbrev. Message PaC<->PAA Ref. + Type + --------------------------------------------------------------------- + PANA-Client-Initiation PCI 1 --------> 7.1 + PANA-Auth-Request PAR 2 <-------> 7.2 + PANA-Auth-Answer PAN 2 <-------> 7.3 + PANA-Termination-Request PTR 3 <-------> 7.4 + PANA-Termination-Answer PTA 3 <-------> 7.5 + PANA-Notification-Request PNR 4 <-------> 7.6 + PANA-Notification-Answer PNA 4 <-------> 7.7 + --------------------------------------------------------------------- + + Figure 3: Table of PANA Messages + + The language used for PANA message definitions (i.e., AVPs valid for + that PANA message type), in Section 7.1 through Section 7.7, is + defined using ABNF [RFC5234] as follows: + + message-def = Message-Name LWSP "::=" LWSP PANA-message + + Message-Name = PANA-name + + PANA-name = ALPHA *(ALPHA / DIGIT / "-") + + PANA-message = header LWSP *fixed LWSP *required + LWSP *optional LWSP *fixed + + header = "<" LWSP "PANA-Header:" LWSP Message-Type + [r-bit] [s-bit] [c-bit] [a-bit] [p-bit] [i-bit] + LWSP ">" + + Message-Type = 1*DIGIT + ; The Message Type assigned to the message + + r-bit = ",REQ" + ; If present, the 'R' (Request) bit in the Message + ; Flags is set, indicating that the message + ; is a request, as opposed to an answer. + + + + + + + + +Forsberg, et al. Standards Track [Page 25] + +RFC 5191 PANA May 2008 + + + s-bit = ",STA" + ; If present, the 'S' (Start) bit in the Message + ; Flags is set, indicating that the message + ; is the initial PAR or PAN in authentication + ; and authorization phase. + + c-bit = ",COM" + ; If present, the 'C' bit in the Message + ; Flags is set, indicating that the message + ; is the final PAR and PAN in authentication + ; and authorization phase or re-authentication + ; phase. + + a-bit = ",REA" + ; If present, the 'A' (re-Authentication) bit + ; in the Message Flags is set, indicating that + ; the message is a re-authentication request or + ; answer. + + p-bit = ",PIN" + ; If present, the 'P' (Ping) bit in the Message + ; Flags is set, indicating that the message + ; is a ping request or answer. + + i-bit = ",IPR" + ; If present, the 'I' (IP Reconfiguration) bit + ; in the Message Flags is set, indicating that + ; the PaC requires IP address reconfiguration + ; after successful authentication and + ; authorization phase. + + fixed = [qual] "<" LWSP avp-spec LWSP ">" + ; Defines the fixed position of an AVP. + + required = [qual] "{" LWSP avp-spec LWSP "}" + ; The AVP MUST be present and can appear + ; anywhere in the message. + + optional = [qual] "[" LWSP avp-name LWSP "]" + ; The avp-name in the 'optional' rule cannot + ; evaluate any AVP Name that is included + ; in a fixed or required rule. The AVP can + ; appear anywhere in the message. + + + + + + + + +Forsberg, et al. Standards Track [Page 26] + +RFC 5191 PANA May 2008 + + + qual = [min] "*" [max] + ; See ABNF conventions, RFC 5234 Section 3.6. + ; The absence of any qualifiers depends on whether + ; it precedes a fixed, required, or optional + ; rule. If a fixed or required rule has no + ; qualifier, then exactly one such AVP MUST + ; be present. If an optional rule has no + ; qualifier, then 0 or 1 such AVP may be + ; present. + ; + ; NOTE: "[" and "]" have a different meaning + ; than in ABNF (see the optional rule, above). + ; These braces cannot be used to express + ; optional fixed rules (such as an optional + ; AUTH at the end). To do this, the convention + ; is '0*1fixed'. + + min = 1*DIGIT + ; The minimum number of times the element may + ; be present. The default value is zero. + + max = 1*DIGIT + ; The maximum number of times the element may + ; be present. The default value is infinity. A + ; value of zero implies the AVP MUST NOT be + ; present. + + avp-spec = PANA-name + ; The avp-spec has to be an AVP Name, defined + ; in the base or extended PANA protocol + ; specifications. + + avp-name = avp-spec / "AVP" + ; The string "AVP" stands for *any* arbitrary + ; AVP Name, which does not conflict with the + ; required or fixed position AVPs defined in + ; the message definition. + +7.1. PANA-Client-Initiation (PCI) + + The PANA-Client-Initiation (PCI) message is used for PaC-initiated + session. The Sequence Number and Session Identifier fields in this + message MUST be set to zero (0). + + PANA-Client-Initiation ::= < PANA-Header: 1 > + *[ AVP ] + + + + + +Forsberg, et al. Standards Track [Page 27] + +RFC 5191 PANA May 2008 + + +7.2. PANA-Auth-Request (PAR) + + The PANA-Auth-Request (PAR) message is either sent by the PAA or the + PaC. + + The message MUST NOT have both the 'S' (Start) and 'C' (Complete) + bits set. + + PANA-Auth-Request ::= < PANA-Header: 2,REQ[,STA][,COM][,IPR] > + [ EAP-Payload ] + [ Nonce ] + *[ PRF-Algorithm ] + *[ Integrity-Algorithm ] + [ Result-Code ] + [ Session-Lifetime ] + [ Key-Id ] + *[ AVP ] + 0*1< AUTH > + +7.3. PANA-Auth-Answer (PAN) + + The PANA-Auth-Answer (PAN) message is sent by either the PaC or the + PAA in response to a PANA-Auth-Request message. + + The message MUST NOT have both the 'S' (Start) and 'C' (Complete) + bits set. + + PANA-Auth-Answer ::= < PANA-Header: 2[,STA][,COM] > + [ Nonce ] + [ PRF-Algorithm ] + [ Integrity-Algorithm ] + [ EAP-Payload ] + [ Key-Id ] + *[ AVP ] + 0*1< AUTH > + +7.4. PANA-Termination-Request (PTR) + + The PANA-Termination-Request (PTR) message is sent either by the PaC + or the PAA to terminate a PANA session. + + PANA-Termination-Request ::= < PANA-Header: 3,REQ > + < Termination-Cause > + *[ AVP ] + 0*1< AUTH > + + + + + + +Forsberg, et al. Standards Track [Page 28] + +RFC 5191 PANA May 2008 + + +7.5. PANA-Termination-Answer (PTA) + + The PANA-Termination-Answer (PTA) message is sent either by the PaC + or the PAA in response to PANA-Termination-Request. + + PANA-Termination-Answer ::= < PANA-Header: 3 > + *[ AVP ] + 0*1< AUTH > + +7.6. PANA-Notification-Request (PNR) + + The PANA-Notification-Request (PNR) message is used for signaling + re-authentication and performing liveness test. See Section 4.3 and + Section 4.2 for details on re-authentication and liveness test, + respectively. + + The message MUST have one of the 'A' (re-Authentication) and 'P' + (Ping) bits exclusively set. + + PANA-Notification-Request ::= < PANA-Header: 4,REQ[,REA][,PIN] > + *[ AVP ] + 0*1< AUTH > + +7.7. PANA-Notification-Answer (PNA) + + The PANA-Notification-Answer (PNA) message is sent by the PAA (PaC) + to the PaC (PAA) in response to a PANA-Notification-Request from the + PaC (PAA). + + The message MUST have one of the 'A' (re-Authentication) and 'P' + (Ping) bits exclusively set. + + PANA-Notification-Answer ::= < PANA-Header: 4[,REA][,PIN] > + *[ AVP ] + 0*1< AUTH > + +8. AVPs in PANA + + This document uses AVP Value Format such as 'OctetString' and + 'Unsigned32' as defined in Section 4.2 of [RFC3588]. The definitions + of these data formats are not repeated in this document. + + The following table lists the AVPs used in this document, and + specifies in which PANA messages they MAY or MAY NOT be present. + + + + + + + +Forsberg, et al. Standards Track [Page 29] + +RFC 5191 PANA May 2008 + + + The table uses the following symbols: + + 0 The AVP MUST NOT be present in the message. + + 0-1 Zero or one instance of the AVP MAY be present in the message. + It is considered an error if there is more than one instance of + the AVP. + + 1 One instance of the AVP MUST be present in the message. + + 0+ Zero or more instances of the AVP MAY be present in the + message. + + +---------------------------+ + | Message Type | + +---+---+---+---+---+---+---+ + Attribute Name |PCI|PAR|PAN|PTR|PTA|PNR|PNA| + ----------------------+---+---+---+---+---+---+---+ + AUTH | 0 |0-1|0-1|0-1|0-1|0-1|0-1| + EAP-Payload | 0 |0-1|0-1| 0 | 0 | 0 | 0 | + Integrity-Algorithm | 0 |0+ |0-1| 0 | 0 | 0 | 0 | + Key-Id | 0 |0-1|0-1| 0 | 0 | 0 | 0 | + Nonce | 0 |0-1|0-1| 0 | 0 | 0 | 0 | + PRF-Algorithm | 0 |0+ |0-1| 0 | 0 | 0 | 0 | + Result-Code | 0 |0-1| 0 | 0 | 0 | 0 | 0 | + Session-Lifetime | 0 |0-1| 0 | 0 | 0 | 0 | 0 | + Termination-Cause | 0 | 0 | 0 | 1 | 0 | 0 | 0 | + ----------------------+---+---+---+---+---+---+---+ + + Figure 4: AVP Occurrence Table + +8.1. AUTH AVP + + The AUTH AVP (AVP Code 1) is used to integrity protect PANA messages. + The AVP data payload contains the Message Authentication Code encoded + in network byte order. The AVP length varies depending on the + integrity algorithm used. The AVP data is of type OctetString. + +8.2. EAP-Payload AVP + + The EAP-Payload AVP (AVP Code 2) is used for encapsulating the actual + EAP message that is being exchanged between the EAP peer and the EAP + authenticator. The AVP data is of type OctetString. + + + + + + + + +Forsberg, et al. Standards Track [Page 30] + +RFC 5191 PANA May 2008 + + +8.3. Integrity-Algorithm AVP + + The Integrity-Algorithm AVP (AVP Code 3) is used for conveying the + integrity algorithm to compute an AUTH AVP. The AVP data is of type + Unsigned32. The AVP data contains an Internet Key Exchange Protocol + version 2 (IKEv2) Transform ID of Transform Type 3 [RFC4306] for the + integrity algorithm. All PANA implementations MUST support + AUTH_HMAC_SHA1_160 (7) [RFC4595]. + +8.4. Key-Id AVP + + The Key-Id AVP (AVP Code 4) is of type Integer32 and contains an MSK + identifier. The MSK identifier is assigned by PAA and MUST be unique + within the PANA session. + +8.5. Nonce AVP + + The Nonce AVP (AVP Code 5) carries a randomly chosen value that is + used in cryptographic key computations. The recommendations in + [RFC4086] apply with regard to generation of random values. The AVP + data is of type OctetString, and it contains a randomly generated + value in opaque format. The data length MUST be between 8 and 256 + octets, inclusive. + + The length of the nonces are determined based on the available + pseudo-random functions (PRFs) and the degree of trust placed into + the PaC and the PAA to compute random values. The length of the + random value for the nonce is determined in one of two ways, + depending on whether: + + 1. The PaC and the PAA each are likely to be able to compute a + random nonce (according to [RFC4086]). The length of the nonce + has to be 1/2 the length of the PRF key (e.g., 10 octets in the + case of HMAC-SHA1). + + 2. The PaC and the PAA each are not trusted with regard to the + computation of a random nonce (according to [RFC4086]). The + length of the nonce has to have the full length of the PRF key + (e.g., 20 octets in the case of HMAC-SHA1). + + Furthermore, the strongest available PRF for PANA has to be + considered in this computation. Currently, only a single PRF (namely + HMAC-SHA1) is available and therefore the maximum output length is 20 + octets. Therefore, the maximum length of the nonce value SHOULD be + 20 octets. + + + + + + +Forsberg, et al. Standards Track [Page 31] + +RFC 5191 PANA May 2008 + + +8.6. PRF-Algorithm AVP + + The PRF-Algorithm AVP (AVP Code 6) is used for conveying the + pseudo-random function to derive PANA_AUTH_KEY. The AVP data is of + type Unsigned32. The AVP data contains an IKEv2 Transform ID of + Transform Type 2 [RFC4306]. All PANA implementations MUST support + PRF_HMAC_SHA1 (2) [RFC2104]. + +8.7. Result-Code AVP + + The Result-Code AVP (AVP Code 7) is of type Unsigned32 and indicates + whether an EAP authentication was completed successfully. + Result-Code AVP values are described below. + + PANA_SUCCESS 0 + + Both authentication and authorization processes are successful. + + PANA_AUTHENTICATION_REJECTED 1 + + Authentication has failed. When authentication fails, + authorization is also considered to have failed. + + PANA_AUTHORIZATION_REJECTED 2 + + The authorization process has failed. This error could occur when + authorization is rejected by a AAA server or rejected locally by a + PAA, even if the authentication procedure has succeeded. + +8.8. Session-Lifetime AVP + + The Session-Lifetime AVP (AVP Code 8) contains the number of seconds + remaining before the current session is considered expired. The AVP + data is of type Unsigned32. + + + + + + + + + + + + + + + + + +Forsberg, et al. Standards Track [Page 32] + +RFC 5191 PANA May 2008 + + +8.9. Termination-Cause AVP + + The Termination-Cause AVP (AVP Code 9) is used for indicating the + reason why a session is terminated by the requester. The AVP data is + of type Enumerated. The following Termination-Cause data values are + used with PANA. + + LOGOUT 1 (PaC -> PAA) + + The client initiated a disconnect. + + ADMINISTRATIVE 4 (PAA -> PaC) + + The client was not granted access or was disconnected due to + administrative reasons. + + SESSION_TIMEOUT 8 (PAA -> PaC) + + The session has timed out, and service has been terminated. + +9. Retransmission Timers + + The PANA protocol provides retransmissions for the + PANA-Client-Initiation message and all request messages. + + PANA retransmission timers are based on the model used in DHCPv6 + [RFC3315]. Variables used here are also borrowed from this + specification. PANA is a request/response-based protocol. The + message exchange terminates when the requester successfully receives + the answer, or the message exchange is considered to have failed + according to the retransmission mechanism described below. + + The retransmission behavior is controlled and described by the + following variables: + + RT Retransmission timeout from the previous (re)transmission + + IRT Base value for RT for the initial retransmission + + MRC Maximum retransmission count + + MRT Maximum retransmission time + + MRD Maximum retransmission duration + + RAND Randomization factor + + + + + +Forsberg, et al. Standards Track [Page 33] + +RFC 5191 PANA May 2008 + + + With each message transmission or retransmission, the sender sets RT + according to the rules given below. If RT expires before the message + exchange terminates, the sender recomputes RT and retransmits the + message. + + Each of the computations of a new RT include a randomization factor + (RAND), which is a random number chosen with a uniform distribution + between -0.1 and +0.1. The randomization factor is included to + minimize the synchronization of messages. + + The algorithm for choosing a random number does not need to be + cryptographically sound. The algorithm SHOULD produce a different + sequence of random numbers from each invocation. + + RT for the first message retransmission is based on IRT: + + RT = IRT + RAND*IRT + + RT for each subsequent message retransmission is based on the + previous value of RT: + + RT = 2*RTprev + RAND*RTprev + + MRT specifies an upper bound on the value of RT (disregarding the + randomization added by the use of RAND). If MRT has a value of 0, + there is no upper limit on the value of RT. Otherwise: + + if (RT > MRT) + RT = MRT + RAND*MRT + + MRC specifies an upper bound on the number of times a sender may + retransmit a message. Unless MRC is zero, the message exchange fails + once the sender has transmitted the message MRC times. + + MRD specifies an upper bound on the length of time a sender may + retransmit a message. Unless MRD is zero, the message exchange fails + once MRD seconds have elapsed since the client first transmitted the + message. + + If both MRC and MRD are non-zero, the message exchange fails whenever + either of the conditions specified in the previous two paragraphs are + met. + + If both MRC and MRD are zero, the client continues to transmit the + message until it receives a response. + + + + + + +Forsberg, et al. Standards Track [Page 34] + +RFC 5191 PANA May 2008 + + +9.1. Transmission and Retransmission Parameters + + This section presents a table of values used to describe the message + retransmission behavior of PANA requests (REQ_*) and PANA-Client- + Initiation message (PCI_*). The table shows default values. + + Parameter Default Description + --------------------------------------------------------------------- + PCI_IRT 1 sec Initial PCI timeout. + PCI_MRT 120 secs Max PCI timeout value. + PCI_MRC 0 Max PCI retransmission attempts. + PCI_MRD 0 Max PCI retransmission duration. + + REQ_IRT 1 sec Initial Request timeout. + REQ_MRT 30 secs Max Request timeout value. + REQ_MRC 10 Max Request retransmission attempts. + REQ_MRD 0 Max Request retransmission duration. + + So, for example, the first RT for the PANA-Auth-Request (PAR) message + is calculated using REQ_IRT as the IRT: + + RT = REQ_IRT + RAND*REQ_IRT + +10. IANA Considerations + + This section provides guidance to the Internet Assigned Numbers + Authority (IANA) regarding the registration of values related to the + PANA protocol, in accordance with BCP 26 [IANA]. The following + policies are used here with the meanings defined in BCP 26: "Private + Use", "First Come First Served", "Expert Review", "Specification + Required", "IETF Consensus", and "Standards Action". + + This section explains the criteria to be used by the IANA for + assignment of numbers within namespaces defined within this document. + + For registration requests where a Designated Expert should be + consulted, the responsible IESG Area Director should appoint the + Designated Expert. For Designated Expert with Specification + Required, the request is posted to the PANA WG mailing list (or, if + it has been disbanded, a successor designated by the Area Director) + for comment and review, and MUST include a pointer to a public + specification. Before a period of 30 days has passed, the Designated + Expert will either approve or deny the registration request and + + + + + + + + +Forsberg, et al. Standards Track [Page 35] + +RFC 5191 PANA May 2008 + + + publish a notice of the decision to the PANA WG mailing list or its + successor. A denial notice must be justified by an explanation and, + in the cases where it is possible, concrete suggestions on how the + request can be modified so as to become acceptable. + + IANA has created a registry for PANA. + +10.1. PANA UDP Port Number + + PANA uses one well-known UDP port number (see Section 6.1), which has + been assigned by the IANA (716). + +10.2. PANA Message Header + + As defined in Section 6.2, the PANA message header contains two + fields that require IANA namespace management; the Message Type and + Flags fields. + +10.2.1. Message Type + + The Message Type namespace is used to identify PANA messages. + Message Type 0 is not used and is not assigned by IANA. The range of + values 1 - 65,519 are for permanent, standard message types, + allocated by IETF Consensus [IANA]. This document defines the range + of values 1 - 4. The same Message Type is used for both the request + and the answer messages, except for type 1. The Request bit + distinguishes requests from answers. See Section 7 for the + assignment of the namespace in this specification. + + The range of values 65,520 - 65,535 (hexadecimal values 0xfff0 - + 0xffff) are reserved for experimental messages. As these codes are + only for experimental and testing purposes, no guarantee is made for + interoperability between the communicating PaC and PAA using + experimental commands, as outlined in [IANA-EXP]. + +10.2.2. Flags + + There are 16 bits in the Flags field of the PANA message header. + This document assigns bit 0 ('R'), 1 ('S'), 2 ('C'), 3 ('A'), 4 + ('P'), and 5 ('I') in Section 6.2. The remaining bits MUST only be + assigned via a Standards Action [IANA]. + +10.3. AVP Header + + As defined in Section 6.3, the AVP header contains three fields that + require IANA namespace management; the AVP Code, AVP Flags, and + Vendor-Id fields, where only the AVP Code and AVP Flags created new + namespaces. + + + +Forsberg, et al. Standards Track [Page 36] + +RFC 5191 PANA May 2008 + + +10.3.1. AVP Code + + The 16-bit AVP code namespace is used to identify attributes. There + are multiple namespaces. Vendors can have their own AVP codes + namespace, which will be identified by their Vendor-Id (also known as + Enterprise-Number), and they control the assignments of their + vendor-specific AVP codes within their own namespace. The absence of + a Vendor-Id identifies the IETF IANA controlled AVP codes namespace. + The AVP codes, and sometimes also possible values in an AVP, are + controlled and maintained by IANA. + + AVP Code 0 is not used and is not assigned by IANA. This document + defines the AVP Codes 1-9. See Section 8.1 through Section 8.9 for + the assignment of the namespace in this specification. + + AVPs may be allocated following Designated Expert Review with + Specification Required [IANA] or Standards Action. + + Note that PANA defines a mechanism for Vendor-Specific AVPs, where + the Vendor-Id field in the AVP header is set to a non-zero value. + Vendor-Specific AVP codes are for Private Use and should be + encouraged instead of allocation of global attribute types, for + functions specific only to one vendor's implementation of PANA, where + no interoperability is deemed useful. Where a Vendor-Specific AVP is + implemented by more than one vendor, allocation of global AVPs should + be encouraged instead. + +10.3.2. Flags + + There are 16 bits in the AVP Flags field of the AVP header, defined + in Section 6.3. This document assigns bit 0 ('V'). The remaining + bits should only be assigned via a Standards Action . + +10.4. AVP Values + + Certain AVPs in PANA define a list of values with various meanings. + For attributes other than those specified in this section, adding + additional values to the list can be done on a First Come, First + Served basis by IANA [IANA]. + +10.4.1. Result-Code AVP Values + + As defined in Section 8.7, the Result-Code AVP (AVP Code 7) defines + the values 0-2. + + All remaining values are available for assignment via IETF Consensus + [IANA]. + + + + +Forsberg, et al. Standards Track [Page 37] + +RFC 5191 PANA May 2008 + + +10.4.2. Termination-Cause AVP Values + + As defined in Section 8.9, the Termination-Cause AVP (AVP Code 9) + defines the values 1, 4, and 8. + + All remaining values are available for assignment via IETF Consensus + [IANA]. + +11. Security Considerations + + The PANA protocol defines a UDP-based EAP encapsulation that runs + between two IP-enabled nodes. Various security threats that are + relevant to a protocol of this nature are outlined in [RFC4016]. + Security considerations stemming from the use of EAP and EAP methods + are discussed in [RFC3748] [EAP-KEYING]. This section provides a + discussion on the security-related issues that are related to PANA + framework and protocol design. + + An important element in assessing the security of PANA design and + deployment in a network is the presence of lower-layer security. In + the context of this document, lower layers are said to be secure if + the environment provides adequate protection against spoofing and + confidentiality based on its operational needs. For example, DSL and + cdma2000 networks' lower-layer security is enabled even before + running the first PANA-based authentication. In the absence of such + a preestablished secure channel prior to running PANA, one can be + created after the successful PANA authentication using a link-layer + or network-layer cryptographic mechanism (e.g., IPsec). + +11.1. General Security Measures + + PANA provides multiple mechanisms to secure a PANA session. + + PANA messages carry sequence numbers, which are monotonically + incremented by 1 with every new request message. These numbers are + randomly initialized at the beginning of the session, and they are + verified against expected numbers upon receipt. A message whose + sequence number is different than the expected one is silently + discarded. In addition to accomplishing orderly delivery of EAP + + + + + + + + + + + + +Forsberg, et al. Standards Track [Page 38] + +RFC 5191 PANA May 2008 + + + messages and duplicate elimination, this scheme also helps prevent an + adversary from spoofing messages to disturb ongoing PANA and EAP + sessions unless it can also eavesdrop to synchronize with the + expected sequence number. Furthermore, impact of replay attacks is + reduced as any stale message (i.e., a request or answer with an + unexpected sequence number and/or a session identifier for a + non-existing session) and any duplicate answer are immediately + discarded, and a duplicate request can trigger transmission of the + cached answer (i.e., no need to process the request and generate a + new answer). + + The PANA framework defines EP, which is ideally located on a network + device that can filter traffic from the PaCs before the traffic + enters the Internet/intranet. A set of filters can be used to + discard unauthorized packets, such as the initial PANA-Auth-Request + message that is received from the segment of the access network, + where only the PaCs are supposed to be connected (i.e., preventing + PAA impersonation). + + The protocol also provides authentication and integrity protection to + PANA messages when the used EAP method can generate cryptographic + session keys. A PANA SA is generated based on the MSK exported by + the EAP method. This SA is used for generating an AUTH AVP to + protect the PANA message header and payload (including the complete + EAP message). + + The cryptographic protection prevents an adversary from acting as a + man-in-the-middle, injecting messages, replaying messages and + modifying the content of the exchanged messages. Any packet that + fails to pass the AUTH verification is silently discarded. The + earliest this protection can be enabled is when the PANA-Auth-Request + message that signals a successful authentication (EAP Success) is + generated. Starting with these messages, any subsequent PANA message + can be cryptographically protected until the session gets torn down. + + The lifetime of the PANA SA is set to the PANA session lifetime, + which is bounded by the authorization lifetime granted by the + authentication server. An implementation MAY add a grace period to + that value. Unless the PANA session is extended by executing another + EAP authentication, the PANA SA is removed when the current session + expires. + + + + + + + + + + +Forsberg, et al. Standards Track [Page 39] + +RFC 5191 PANA May 2008 + + + The ability to use cryptographic protection within PANA is determined + by the used EAP method, which is generally dictated by the deployment + environment. Insecure lower layers necessitate the use of + key-generating EAP methods. In networks where lower layers are + already secured, cryptographic protection of PANA messages is not + necessary. + +11.2. Initial Exchange + + The initial PANA-Auth-Request and PANA-Auth-Answer exchange is + vulnerable to spoofing attacks as these messages are not + authenticated and integrity protected. In order to prevent very + basic DoS attacks, an adversary should not be able to cause state + creation by sending PANA-Client-Initiation messages to the PAA. This + protection is achieved by allowing the responder (PAA) to create as + little state as possible in the initial message exchange. However, + it is difficult to prevent all spoofing attacks in the initial + message exchange entirely. + +11.3. EAP Methods + + Eavesdropping EAP messages might cause problems when the EAP method + is weak and enables dictionary or replay attacks or even allows an + adversary to learn the long-term password directly. Furthermore, if + the optional EAP Response/Identity payload is used, then it allows + the adversary to learn the identity of the PaC. In such a case, a + privacy problem is prevalent. + + To prevent these threats, [RFC5193] suggests using proper EAP methods + for particular environments. Depending on the deployment + environment, an EAP authentication method that supports user-identity + confidentiality, protection against dictionary attacks, and + session-key establishment must be used. It is therefore the + responsibility of the network operators and users to choose a proper + EAP method. + +11.4. Cryptographic Keys + + When the EAP method exports an MSK, this key is used to produce a + PANA SA with PANA_AUTH_KEY with a distinct key ID. The PANA_AUTH_KEY + is unique to the PANA session, and it takes PANA-based nonce values + into computation to cryptographically separate itself from the MSK. + + The PANA_AUTH_KEY is solely used for the authentication and integrity + protection of the PANA messages within the designated session. + + + + + + +Forsberg, et al. Standards Track [Page 40] + +RFC 5191 PANA May 2008 + + + The PANA SA lifetime is bounded by the MSK lifetime. Another + execution of the EAP method yields a new MSK, and it updates the PANA + SA, PANA_AUTH_KEY, and key ID. + +11.5. Per-Packet Ciphering + + Networks that are not secured at the lower layers prior to running + PANA can rely on enabling per-packet data-traffic ciphering upon + successful PANA SA establishment. The PANA framework allows + generation of cryptographic keys from the PANA SA and uses the keys + with a secure association protocol to enable per-packet cryptographic + protection, such as link-layer or IPsec-based ciphering [PANA-IPSEC]. + These mechanisms ultimately establish a cryptographic binding between + the data traffic generated by and for a client and the authenticated + identity of the client. Data traffic can be data origin + authenticated, replay and integrity protected, and optionally + encrypted using the cryptographic keys. How these keys are generated + from the PANA SA and used with a secure association protocol is + outside the scope of this document. + +11.6. PAA-to-EP Communication + + The PANA framework allows separation of PAA from EP. The protocol + exchange between the PAA and EP for provisioning authorized PaC + information on the EP must be protected for authentication, + integrity, and replay protection. + +11.7. Liveness Test + + A PANA session is associated with a session lifetime. The session is + terminated unless it is refreshed by a new round of EAP + authentication before it expires. Therefore, the latest a + disconnected client can be detected is when its session expires. A + disconnect may also be detected earlier by using PANA ping messages. + + + + + + + + + + + + + + + + + +Forsberg, et al. Standards Track [Page 41] + +RFC 5191 PANA May 2008 + + + A request message can be generated by either PaC or PAA at any time + in access phase with the expectation that the peer responds with an + answer message. A successful round-trip of this exchange is a simple + verification that the peer is alive. + + This test can be engaged when there is a possibility that the peer + might have disconnected (e.g., after the discontinuation of data + traffic for an extended period of time). Periodic use of this + exchange as a keep-alive requires additional care, as it might result + in congestion and hence false alarms. + + This exchange is cryptographically protected when a PANA SA is + available in order to prevent threats associated with the abuse of + this functionality. + + Any valid PANA answer message received in response to a recently sent + request message can be taken as an indication of a peer's liveness. + The PaC or PAA MAY forgo sending an explicit ping request message if + a recent exchange has already confirmed that the peer is alive. + +11.8. Early Termination of a Session + + The PANA protocol supports the ability for both the PaC and the PAA + to transmit a tear-down message before the session lifetime expires. + This message causes state removal, a stop of the accounting procedure + and removes the installed per-PaC state on the EP(s). This message + is cryptographically protected when PANA SA is present. + +12. Acknowledgments + + We would like to thank Mark Townsley, Jari Arkko, Mohan + Parthasarathy, Julien Bournelle, Rafael Marin Lopez, Pasi Eronen, + Randy Turner, Erik Nordmark, Lionel Morand, Avi Lior, Susan Thomson, + Giaretta Gerardo, Joseph Salowey, Sasikanth Bharadwaj, Spencer + Dawkins, Tom Yu, Bernard Aboba, Subir Das, John Vollbrecht, Prakash + Jayaraman, and all members of the PANA working group for their + valuable comments on this document. + +13. References + +13.1. Normative References + + [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: + Keyed-Hashing for Message Authentication", RFC 2104, + February 1997. + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + + +Forsberg, et al. Standards Track [Page 42] + +RFC 5191 PANA May 2008 + + + [RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and + J. Arkko, "Diameter Base Protocol", RFC 3588, September + 2003. + + [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and + H. Levkowetz, Ed., "Extensible Authentication Protocol + (EAP)", RFC 3748, June 2004. + + [RFC4086] Eastlake, D., 3rd, Schiller, J., and S. Crocker, + "Randomness Requirements for Security", BCP 106, RFC + 4086, June 2005. + + [RFC5234] Crocker, D., Ed., and P. Overell, "Augmented BNF for + Syntax Specifications: ABNF", STD 68, RFC 5234, January + 2008. + + [RFC5192] Morand, L., Yegin A., Kumar S., and S. Madanapalli, + "DHCP Options for Protocol for Carrying Authentication + for Network Access (PANA) Authentication Agents", RFC + 5192, May 2008. + + [IANA] Narten, T. and H. Alvestrand, "Guidelines for Writing + an IANA Considerations Section in RFCs", BCP 26, RFC + 2434, October 1998. + +13.2. Informative References + + [RFC3315] Droms, R., Ed., Bound, J., Volz, B., Lemon, T., + Perkins, C., and M. Carney, "Dynamic Host Configuration + Protocol for IPv6 (DHCPv6)", RFC 3315, July 2003. + + [RFC4016] Parthasarathy, M., "Protocol for Carrying + Authentication and Network Access (PANA) Threat + Analysis and Security Requirements", RFC 4016, March + 2005. + + [RFC4058] Yegin, A., Ed., Ohba, Y., Penno, R., Tsirtsis, G., and + C. Wang, "Protocol for Carrying Authentication for + Network Access (PANA) Requirements", RFC 4058, May + 2005. + + [RFC4137] Vollbrecht, J., Eronen, P., Petroni, N., and Y. Ohba, + "State Machines for Extensible Authentication Protocol + (EAP) Peer and Authenticator", RFC 4137, August 2005. + + [RFC4306] Kaufman, C., Ed., "Internet Key Exchange (IKEv2) + Protocol", RFC 4306, December 2005. + + + + +Forsberg, et al. Standards Track [Page 43] + +RFC 5191 PANA May 2008 + + + [RFC4595] Maino, F. and D. Black, "Use of IKEv2 in the Fibre + Channel Security Association Management Protocol", RFC + 4595, July 2006. + + [RFC5193] Jayaraman, P., Lopez R., Ohba Y., Ed., Parthasarathy, + M., and A. Yegin, "Protocol for Carrying Authentication + for Network Access (PANA) Framework", RFC 5193, May + 2008. + + [EAP-KEYING] Aboba, B., Simon D., and P. Eronen, "Extensible + Authentication Protocol (EAP) Key Management + Framework", Work in Progress, November 2007. + + [PANA-IPSEC] Parthasarathy, M., "PANA Enabling IPsec based Access + Control", Work in progress, July 2005. + + [IANAWEB] IANA, "Number assignment", http://www.iana.org. + + [IANA-EXP] Narten, T., "Assigning Experimental and Testing Numbers + Considered Useful", BCP 82, RFC 3692, January 2004. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Forsberg, et al. Standards Track [Page 44] + +RFC 5191 PANA May 2008 + + +Authors' Addresses + + Dan Forsberg + Nokia Research Center + P.O. Box 407 + FIN-00045 NOKIA GROUP + Finland + + Phone: +358 50 4839470 + EMail: dan.forsberg@nokia.com + + + Yoshihiro Ohba + Toshiba America Research, Inc. + 1 Telcordia Drive + Piscataway, NJ 08854 + USA + + Phone: +1 732 699 5305 + EMail: yohba@tari.toshiba.com + + + Basavaraj Patil + Nokia Siemens Networks + 6000 Connection Drive + Irving, TX 75039 + USA + + EMail: basavaraj.patil@nsn.com + + + Hannes Tschofenig + Nokia Siemens Networks + Linnoitustie 6 Espoo 02600 + Finland + + Phone: +358 (50) 4871445 + EMail: Hannes.Tschofenig@nsn.com + URI: http://www.tschofenig.priv.at + + Alper E. Yegin + Samsung + Istanbul, Turkey + + EMail: a.yegin@partner.samsung.com + + + + + + +Forsberg, et al. Standards Track [Page 45] + +RFC 5191 PANA May 2008 + + +Full Copyright Statement + + Copyright (C) The IETF Trust (2008). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND + THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS + OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF + THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + + + + + + + + + + + + +Forsberg, et al. Standards Track [Page 46] + |